[PATCH] Add ssl_client_EKU nginx variable.

Andrey Kulikov amdeich at gmail.com
Thu Sep 10 00:34:41 UTC 2015


Small correction - replace magic value with sizeof().

On 9 September 2015 at 02:46, Andrey Kulikov <amdeich at gmail.com> wrote:

> Hello,
>
> Please find attached patch, that add ssl_client_EKU nginx variable.
>
> Variable contains coma-separated list of OIDs, presented in
> client's certificate (if any). If EKU extension is absent, empty line will
> be returned.
> Dot-separated form of OID choosen rather than human-readable
> short name, as EKU may contains values OpenSSL not aware of,
> and we receive "UNDEF" only in this case.
> Purpose is to use in LUA scripts, or let backend server know the list of
> EKU's, as it can contains lot more that just 'TLS Client Authentication'.
> (for those who read in Russain:
> http://www.infotrust.ru/data/Docs/InfoTrustCP.pdf page 37, as an example)
>
> For example directive
>         proxy_set_header X-ClientCert-EKU           $ssl_client_EKU;
> will result in following in proxied header:
> X-ClientCert-EKU: 1.3.6.1.5.5.7.3.2,1.2.643.3.34.2.6,1.2.643.3.34.2.1
>
> Tested on 1.8.0, 1.9.4
>
> Best wishes,
> Andrey
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150910/16f5ae60/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: add_ssl_client_EKU_var.patch
Type: text/x-patch
Size: 4051 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150910/16f5ae60/attachment.bin>


More information about the nginx-devel mailing list